I am the CEO and co-founder of Centrify Corporation, a software and cloud security provider that delivers unified identity services across data center, cloud and mobile. Under my leadership Centrify has raised $50 million in VC funding and has become one of the fastest growing security vendors in the industry with over 5,000 customers including nearly 50% of the Fortune 50. Prior to Centrify I held various executive, technical and marketing roles at NetIQ Corporation, Compuware Corporation, EcoSystems Software and Oracle Corporation. I was also an Entrepreneur in Residence at Mayfield, a leading venture capital firm. I hold a Bachelor of Science degree in computer science and in history from the University of Michigan. You can follow me on Twitter at http://twitter.com/#!/ThomasRKemp or follow my Centrify blog at http://www.centrify.com/blogs/overview.asp.

Security's Inside Jobs

The security market was abuzz last week with reports of another “insider threat” incident. This time it was a disgruntled ex-employee of a pharmaceutical company creating chaos at his former employer’s firm by logging in from a McDonald’s in Georgia and wiping clean 88 mission-critical servers located in the company’s New Jersey data center. In the end this highlights a significant new IT security need that analyst groups are calling “superuser privilege management.”

As reported by technology publications such as PCWorld, the U.S. Department of Justice reported in court filings last week that Jason Cornish, a former IT worker “at the U.S. subsidiary of Japanese drug-maker Shionogi, pleaded guilty Tuesday to computer intrusion charges in connection with the attack on Feb. 3, 2011.” eWeek also reported that “the attacks were severe enough to freeze Shionogi’s operations” for a number of days and that the “breach affected Shionogi’s corporate email, BlackBerry servers, order-tracking system and financial management software.” The pharmaceutical company estimated that total damages to be $800,000 for this insider attack.

How did Cornish cause so much damage? From the court filings it was clear that Shionogi did a poor job of disabling passwords for terminated employees and contractors, and months after Cornish was let go he was still able to log into the Shionogi corporate network with a privileged network account. The actual attack was from a McDonald’s in Smyrna, Georgia using a free public WiFi hotspot. Fortunately per eWeek it turns out that “authorities were able to trace the attacking IP address back to the McDonald’s and located Cornish, thanks to the $4.96 charge on his Visa credit card just five minutes earlier.”

Clearly there will always be disgruntled former employees who will try to get back at their former employers and/or current employees who can’t resist the temptation to steal sensitive information from the inside and try to make a profit. So as these types of insider threat incidents gain more awareness, the next question becomes how to minimize this risk? IT organizations and analysts are now spending more time focusing on technology called “superuser privilege management” that can help minimize this growing threat.

So what is superuser privilege management? It has to do that with the fact that most mission-critical systems, applications and databases have an administrative username and password (i.e. a privileged account) to enable installation, configuration, administration and management of those platforms. And it turns out that most large IT organizations have hundreds of people that need to administer Windows or UNIX systems (“the sys admins”), their databases (“the DBAs”), their networks (“the network admins”) as well as multiple personnel who either develop applications (“the developers”) and/or administer applications (“the app admins”).

These are in effect the “superusers” in one’s IT organization whose privileges need to be managed. And it means that the more superusers an organization has, the more people that have “keys” (i.e. administrative access) to these “kingdoms” (i.e. systems and applications) and the valuable information that reside behind the kingdom doors. The point is that it is not the average end user who can cause a major insider breach, as their accounts tend to have limited access to critical data; it is the “superuser” who has the keys to the proverbial kingdom who can potentially do the real damage.

Given this awareness, key security concerns that IT organizations are now focusing on include figuring who within the organization actually has administrative access, are IT staff sharing these privilege accounts and how can they better control and audit what those accounts can do.

So where is an IT organization to start? First of all I definitely think the motto “trust but verify” should apply. The vast majority of IT staff are dedicated and trustworthy individuals, but the impact of a few bad apples with this type of power cannot be ignored, and safeguards need to be put in place.

After that, probably the first step is to avoid handing out shared privileged accounts and instead get IT staff to use personal accounts, i.e. have IT users always login as themselves vs. share the “root” account. This can lead to better accountability and traceability of actions. And the more an IT organization can consolidate identities into an authoritative identity store the better, making it even easier to de-provision the accounts of a terminated employee or contractor.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.